Cyber Crime: Can You Afford to Ignore It?
Are you worried that hackers in China might put you out of business? Do you have a business continuity plan? If not, you’d better keep reading. Your company’s financial well-being depends on it.
Thanks to human nature, we all tend to ignore low-probability dangers, even if they pack a high penalty. That's why people live in Florida where hurricanes can clobber them, or in California where earthquakes can swallow them. That's why you probably don't have a good computer backup scheme.
But what if you're wrong about how likely the threat is? Can your business survive if your computer, hard drives, or data are destroyed by hardware failure, hurricane, earthquake, or hackers?
New Ways to Ruin Your Day
Last week a supposedly helpful antivirus program update shut down thousands of computers every time users tried to restart. Computers in homes, companies, hospitals, libraries, government offices, and elsewhere suddenly became useless thanks to a routine process that quarantined an essential system file. There was no criminal intent, but the accident ruined a lot people's day.
After we sold our flying business a few years ago, a contractor claimed the web shopping cart we'd paid him to build only belonged to us personally, and the new owner would have to pay a license fee. When we disputed his claim, showed him emails he’d sent us stating the company could use it forever, and reminded him that we'd paid with company checks, he broke into the site through a “back door” and shut it down in the middle of the holiday gift buying season.
Disgruntled employees, angry students, unruly mobs, and even enemy operatives have all destroyed computers and stolen information. But someone doesn't have to steal your computer or blow it up to threaten your livelihood…or your life.
An informer's name showed up on a police department's payroll printout, an innocent administrative document. Only one problem — a drug dealer's girlfriend was the computer operator, and she recognized the informer’s name. He soon became a former informer.
The folks who designed and built the first ATMs were worried someone would hack into the machine’s phone lines and tell it to spew bills. So they built in a sophisticated encryption algorithm. But unsophisticated crooks, oblivious to the sophistication, circumvented the fancy protection system. They backed a water truck up to the machine, filled it with water, and the money floated out.
That was years ago, and both computers and computer criminals (and ATMs) have become much more sophisticated. Today, a single data breach can cost a company millions of dollars and remediation can be several times that.
Russian cyber-criminals and organized crime hackers in the U.S. cost PayPal so much they were forced to develop expensive software to watch for patterns that would help them identify the culprits. It helped, and Homeland Security borrowed a page from their book and they’re using the same approach to look for terrorists.
Chinese hackers (apparently government sponsored) sent an instant message to a Google employee in China. They enticed her to click on a link that led to an apparently innocuous, but dangerous, website. The site allowed the intruders access to her PC, and through hers into the computers of a cadre of developers at Google headquarters in the U.S. Finally, they managed to break into a software library where they left a few lines of code that would allow them to return whenever they wanted to snoop for other vulnerabilities. Google (as far as they know) found it all within hours and plugged the holes.
Think about this for a minute: What if you batch out your credit card terminal at the end of the day and the funds go to somebody else's account? What if you received a letter, apparently from your bank, saying that your line of credit has been called, the funds are due within 15 days? What if you received an email saying, "I know what you're doing, and you won't get away with it"? (And what if your spouse received a copy too?)
All bad enough, but trivial compared to what could happen if someone hacks into our national financial system, power grid, air traffic control network, or even our traffic light systems.
What if Internet servers suddenly became confused and couldn't figure out the right destination for digital traffic? Think about that in the context of your website shopping cart, banking, and credit card services, and even your company’s electric service. For that matter, spend some time thinking about how you'll get your medicine and groceries when stores can't communicate with warehouses or shippers, when gas pumps can't approve a credit card or pump gas without communications or electricity.
In 2007, CNN ran a dramatic video that showed a huge generator being destroyed when vulnerability in its control software was exploited.
In 2008, a war erupted between Russia and Georgia. The first salvo was a denial of service attacks aimed at Georgian websites including the Ministry of Foreign Affairs and national banks. The Georgians retaliated by attacking RIA Novosti, a Russian news agency and other sites. And then it became a shooting war.
Today, new aircraft have radars than can inject destructive digital code into enemy radars, and the USAF is in the process of setting up a 6000-member 24th Air Force to support 1000 cyberwarriors.
Should you be worried if Russia and Georgia duke it out in cyberspace? Maybe not. Should you plan for the possibility that someone will decide 9/11 didn't have enough impact and then carry out an attack on our power grid? Maybe you should.
About 5000 attacks occur against just government and military websites every day, so this isn’t hypothetical. Smart kids gone wrong, cyber criminals, and foreign agents are busy trying to find vulnerabilities they can exploit when the time comes. But this isn’t just a military problem. Oil companies have been attacked, and financially sensitive information on the location, quantity, and value of oil discoveries has been stolen. And there’s Google and PayPal, and Visa and Mastercard, and yes, even American Express. In a low-level way, they’re all constantly under attack. And you are too. If you have a computer and connect it to the Internet, within 20 minutes it’s infected even if your anti-virus programs don’t know it.
Business Continuity Plan
How do you stop this kind of threat? You don't. You manage it, and you make sure you have a way to continue operating while under attack.
In 1947 Albert Einstein famously said, “I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.” If a cyberwar breaks out or a hacker decides to strike, do you have paper and pencil procedures that will help you to stay in business, at some level, until sanity is restored?
A business continuity plan can mean the difference between survival and failure. Depending on nature of your business such a plan could be the result of an afternoon’s thought and a few pages filed away, just in case. But the time will be well spent.
For bigger companies, the plan could be the culmination of an analysis of threats and their effect, a thorough asset management review that identifies available and relocatable resources (including manual work-arounds) and a cost effective disaster recovery solution. Such an extensive plan will also include a testing phase designed to convince your organization that it can work.
Such a plan was developed by the Washington, D.C. Police Department, and I was asked by the Chief to help test a small part of it: their computer facility’s security and emergency operating plan. It didn’t go well.
When I arrived, there was big sign pointing toward the computer center, a side door into a halfway protected with a cipher lock was propped open with a trash can, and I walk in unchallenged by waving an IBM badge. I put my briefcase next to their central processing unit, and called the Chief to tell him I was already in the computer room and had left my harmless but “suspicious” briefcase next to their multi-million-dollar computer. Things got exciting very quickly, but went according to plan. You’ll have trouble finding the computer center today, and I guarantee you’ll have trouble getting in, even if you’re from IBM.
Do You Have a Plan?
Do you have a plan if hackers flood your website with bogus purchases or a hurricane floods your computer? Do you have a plan if The Big One happens? Do you have a way to conduct business entirely with cash if Chinese hackers decide to shut down our Internet?
You’re right, it’s not very likely. But neither was 9/11, Hurricane Katrina, and the Northridge earthquake. And what about the Geological Survey estimate that a quake measuring 7 or greater has a better than 50% chance of occurring within 75 years, and will cost $390 billion. Is your company figured into those costs?